auto-merge envoyproxy/envoy[release/v1.35] into envoyproxy/envoy-openssl[release/v1.35] #424
+365
−31
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
selected backport of #42317 Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
So that `%START_TIME_LOCAL%` works in the logs. Fixes: #42313 Signed-off-by: Jonh Wendell <[email protected]>
Signed-off-by: Jonh Wendell <[email protected]>
…ct is enabled (#42024) This PR fixes a connection leak in the TCP proxy when the `receive_before_connect` feature is enabled and the downstream connection closes before the upstream connection is established. After this, the TCP Proxy should properly propagates the end-of-stream signal to the upstream connection even when no data gets received from the downstream, preventing upstream connection leaks. Fix envoyproxy/envoy#42006 --- **Commit Message**: tcp_proxy: fixes a cx leak in the TCP Proxy when receive_before_connect is enabled **Additional Description:** Fixed a connection leak in the TCP proxy when the `receive_before_connect` feature is enabled and the downstream connection closes before the upstream connection is established. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal <[email protected]>
Certificates with an OTHERNAME SAN using type `V_ASN1_UNIVERSALSTRING` or `V_ASN1_BMPSTRING` with an embedded null would have the name truncated at the first null, resulting in an incorrect check. Signed-off-by: Greg Greenway <[email protected]> Signed-off-by: Yan Avlasov <[email protected]>
Signed-off-by: Boteng Yao <[email protected]>
Signed-off-by: Yan Avlasov <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
update-openssl-envoy
bot
force-pushed
the
auto-merge-release-v1-35
branch
3 times, most recently
from
9dbc3c9 to
9512fab
Compare
* Security fixes: - CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching - CVE-2025-66220: TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.7 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.35.7/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.35.7/version_history/v1.35/v1.35.7 **Full changelog**: envoyproxy/envoy@v1.35.6...v1.35.7
Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>
update-openssl-envoy
bot
force-pushed
the
auto-merge-release-v1-35
branch
11 times, most recently
from
3051ca7 to
8ab2d09
Compare
…ssl[release/v1.35] * upstream/release/v1.35: repo: Dev v1.35.8 (#42403) repo: Release v1.35.7 changelogs/1.35.7: Add summary Add option to reject early CONNECT data fix jwt_auth crash with two or more auth header tls: fix SAN validation for OTHERNAME types with embedded nulls Certificates with an OTHERNAME SAN using type `V_ASN1_UNIVERSALSTRING` or `V_ASN1_BMPSTRING` with an embedded null would have the name truncated at the first null, resulting in an incorrect check. tcp_proxy: fixes a cx leak in the TCP Proxy when receive_before_connect is enabled (#42024) distribution/docker: Bump Ubuntu -> 104ae837 (#42337) distribution/docker: Install tzdata (#42338) bazel: Bump -> 7.7.1 (#42295) bazelrc: Add compatibility with repo settings github/ci: Fix request workflow (#42355) Signed-off-by: jwendell <[email protected]>
update-openssl-envoy
bot
force-pushed
the
auto-merge-release-v1-35
branch
from
8ab2d09 to
04709d2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Generated by envoy-sync-receive.sh